http://www.techworld.com/security/news/index.cfm?newsID=9827
By Matthew Broersma
Techworld
16 August 2007
Even seemingly safe web addresses are rife with attack code aiming at
vulnerable clients, according to a new study [1] from the Honeynet
Project. The study also found that methods such as blacklists can be
surprisingly successful in stopping client-side attacks.
Attackers are increasingly turning to end-user systems as a way around
the antivirus and firewall systems that are increasingly blocking access
to traditional attack routes, according to the researchers, who hail
from the US, Germany and New Zealand.
"The 'black hats' are turning to easier, unprotected attack paths to
place their malware onto the end-user’s machine," they said in the
study, called "Know Your Enemy: Malicious Web Servers."
The researchers, using a "high-interaction" client honeypot called
Capture-HPC developed by the Victoria University of Wellington, analysed
more than 300,000 addresses from around 150,000 hosts.
The study looked at various site categories, including adult, music,
news, "warez," defaced, spam and addresses designed to grab traffic from
users who mistype common web addresses. While some categories were more
likely to contain malicious addresses than others, all contained
malicious addresses, the report said.
"As in real life, some 'neighborhoods' are more risky than others, but
even users that stay clear of these areas can be victimised," the report
said. "Any user accessing the web is at risk."
Users can be led to malicious sites via links, typing in an address
manually, mistyping an address or following search-engine results, the
study said.
Safeguards
These results only confirm what security researchers have been saying
for some time now. But the study also analysed the effectiveness of
safeguards against such infections in some detail.
The research showed that blacklists, if regularly updated, can be a
surprisingly effective way of blocking malicious addresses.
The researchers also recommended regular patching, but this may not
always be straightforward, since the study found a prevalence of attacks
against plug-ins and non-browser applications. "Attacks also target
applications that one might have not think about patching, such as
Winzip," the study said.
Another technique that can block attacks would be to use a less popular
browser, such as Opera, the study found. "Despite the existence of
vulnerabilities, this browser didn’t seem to be a target," the study
said.
The data used as the basis for the study has been made available on the
Honeynet Project's website [2].
[1] http://www.honeynet.org/papers/mws/index.html
[2] http://www.nz-honeynet.org/kye/mws/complete_data_set.zip
Received on Fri Aug 17 03:04:07 2007